Fix buffer overflow when saving compressed DDS images (#9041)

Co-authored-by: Eric Soroos <eric-github@soroos.net>

Author: radarhere

Tests/test_file_dds.py

@@ -511,3 +511,20 @@ def test_save_dx10_bc5(tmp_path: Path) -> None:
     im = hopper("L")
     with pytest.raises(OSError, match="only RGB mode can be written as BC5"):
         im.save(out, pixel_format="BC5")
+
+
+@pytest.mark.parametrize(
+    "pixel_format, mode",
+    (
+        ("DXT1", "RGBA"),
+        ("DXT3", "RGBA"),
+        ("DXT5", "RGBA"),
+        ("BC2", "RGBA"),
+        ("BC3", "RGBA"),
+        ("BC5", "RGB"),
+    ),
+)
+def test_save_large_file(tmp_path: Path, pixel_format: str, mode: str) -> None:
+    im = hopper(mode).resize((440, 440))
+    # should not error in valgrind
+    im.save(tmp_path / "img.dds", pixel_format=pixel_format)

src/libImaging/BcnEncode.c

@@ -258,6 +258,10 @@ ImagingBcnEncode(Imaging im, ImagingCodecState state, UINT8 *buf, int bytes) {
     UINT8 *dst = buf;
 
     for (;;) {
+        // Loop writes a max of 16 bytes per iteration
+        if (dst + 16 >= bytes + buf) {
+            break;
+        }
         if (n == 5) {
             encode_bc3_alpha(im, state, dst, 0);
             dst += 8;